High severity8.8OSV Advisory· Published Feb 13, 2025· Updated Apr 15, 2026
CVE-2025-26511
CVE-2025-26511
Description
Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.instaclustr:cassandra-lucene-index-pluginMaven | >= 4.0-rc1-1.0.0, < 4.0.17-1.0.0 | 4.0.17-1.0.0 |
com.instaclustr:cassandra-lucene-index-pluginMaven | >= 4.1.0-1.0.0, < 4.1.8-1.0.1 | 4.1.8-1.0.1 |
Affected products
2- Range: cassandra-4.0-rc1-1.0.0, cassandra-4.0-rc1-1.0.1, cassandra-4.0-rc2-1.0.0, …
- ghsa-coordsRange: >= 4.0-rc1-1.0.0, < 4.0.17-1.0.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mrqp-q7vx-v2cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-26511ghsaADVISORY
- github.com/instaclustr/cassandra-lucene-index/commit/44ab4b639c9354a6335f40b1cf6178c745c6e101nvdWEB
- github.com/instaclustr/cassandra-lucene-index/commit/94380b165bd3e597d3e22e47f8cc674ec7c7bf7fghsaWEB
- github.com/instaclustr/cassandra-lucene-index/security/advisories/GHSA-mrqp-q7vx-v2cxnvdWEB
News mentions
0No linked articles in our index yet.